3.16.37-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Yishai Hadas <yishaih@xxxxxxxxxxxx> commit 5533c18ab02b17a7f2ac11908e2d97d4b421617d upstream. In procedure mlx4_ib_create_flow, passing an invalid port number will cause an out-of-bounds array access. Data passed to this procedure can come from user-space. Therefore, need to validate port number before proceeding onwards. Note that we check against the number of physical ports declared at the verbs (ib core) level; When bonding is active, the verbs level sees one physical port, even though the low-level driver sees two ports. Fixes: f77c0162a339 ("IB/mlx4: Add receive flow steering support") Signed-off-by: Yishai Hadas <yishaih@xxxxxxxxxxxx> Reviewed-by: Jack Morgenstein <jackm@xxxxxxxxxxxxxxxxxx> Reviewed-by: Moni Shoua <monis@xxxxxxxxxxxx> Signed-off-by: Leon Romanovsky <leon@xxxxxxxxxx> Signed-off-by: Doug Ledford <dledford@xxxxxxxxxx> [bwh: Backported to 3.16: - Adjust context - Function returns an integer, not a pointer/error] Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx> --- drivers/infiniband/hw/mlx4/main.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/infiniband/hw/mlx4/main.c +++ b/drivers/infiniband/hw/mlx4/main.c @@ -1016,6 +1016,9 @@ static int __mlx4_ib_create_flow(struct [IB_FLOW_DOMAIN_NIC] = MLX4_DOMAIN_NIC, }; + if (flow_attr->port < 1 || flow_attr->port > qp->device->phys_port_cnt) + return -EINVAL; + if (flow_attr->priority > MLX4_IB_FLOW_MAX_PRIO) { pr_err("Invalid priority value %d\n", flow_attr->priority); return -EINVAL; -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html